Bug#1012613: nftables: upgrade stops but does not start service

[Jeremy Sowden]

On 2022-06-19, at 13:48:59 +0200, Arturo Borrero Gonzalez wrote:
> On Fri, 10 Jun 2022 12:21:37 +0200 Christian Göttsche wrote:
> > Package: nftables
> > Version: 1.0.4-1
> > Severity: serious
> >
> > Dear Maintainer,
> >
> > upgrades of nftables stop the service but do not start it (even if the
> > service is actually enabled).
> > This can lead to lockouts, e.g. when using special rules for ssh access.
> >
> >
> > nft.preinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d 
> > /run/systemd/system ] ; then
> >        deb-systemd-invoke stop 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
> >
> >
> > nft.postinst:
> >
> > #!/bin/sh
> > set -e
> > # Automatically added by dh_installsystemd/13.7.1
> > if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = 
> > "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
> >        if deb-systemd-helper debian-installed 'nftables.service'; then
> >                # This will only remove masks created by d-s-h on package 
> > removal.
> >                deb-systemd-helper unmask 'nftables.service' >/dev/null || 
> > true
> >
> >                if deb-systemd-helper --quiet was-enabled 
> > 'nftables.service'; then
> >                        # Create new symlinks, if any.
> >                        deb-systemd-helper enable 'nftables.service' 
> > >/dev/null || true
> >                fi
> >        fi
> >
> >        # Update the statefile to add new symlinks (if any), which need to 
> > be cleaned
> >        # up on purge. Also remove old symlinks.
> >        deb-systemd-helper update-state 'nftables.service' >/dev/null || true
> > fi
> > # End automatically added section
>
> I confirmed this can be a problem:
>
> [...]
>
> @Alberto, @Jeremy,
>
> It seems to me like we need to play with the dh_installsystemd
> --no-restart-after-upgrade option, but don't have time to figure out the
> right logic.
>
> I'm currently unable to handle this. Could you please take a look?

Yup.

J.

signature.asc
Description: PGP signature